We have a PHP application that we want to get code reviewed from an external security consultant, but I'm not clear on "how to" go about that process.
We did specify what kind of tests he should be ...

What are the relative advantages and disadvantages of each form of testing?
I.e. What is the difference between static code analysis and runtime/dynamic penetration testing?
What are the pros and cons ...